Tumblr iPhone app fixed after plaintext password goof spotted

Tumblr has been forced to rush out a patched version of its iPhone and iPad apps, and has advised all users to change their password, after researchers discovered the apps had been transmitting login credentials in plain text. The new version of the app, released to Apple’s App Store overnight, fixes a flaw where username and password details were transmitted without any encryption; if the user had connected over a public or compromised WiFi network, those credentials could feasibly be “sniffed” by a third-party and stolen.

The security shortcoming was spotted by an iOS app auditor, The Register reports, while in the process of checking which apps were suitable for use on a corporate network. The previous version of the Tumblr app came up clean when it came to what data on the phone it had access to, but a check of the network logs showed that the iOS software wasn’t following best practices when it came to password security.

“The Tumblr iOS app is sending the password over plain text and not over SSL” the researcher said. “This occurs when you first log into the application, although I didn’t check past the initial logon screen.”

The setup differed from Tumblr’s login process on other platforms. On the desktop, for instance, the microblogging service – which was acquired by Yahoo in a $1.1bn deal last May – passes all credentials through an SSL connection.

According to the researcher, attempts to report the flaw to Tumblr’s security team fell on deaf ears. However, since the issue has become higher-profile, Yahoo and Tumblr have finally responded.

“Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience” the company said in a statement on the newly updated apps.

The fear is that Tumblr users accessing their accounts in public over unsecured wireless connections could have inadvertently handed over access to anybody sniffing traffic. The advice is to not only change the password on Tumblr now, but on any service where you used the same login credentials.